Agriculture Canada has taken ‘interim steps’ to meet government data security guidelines

OTTAWA — The department that had the third-highest number of people affected by data breaches over the last decade says it has taken “interim solutions” to protect information, five months after top officials were told there was a “need for cultural changes” on handling government data, according to a security presentation to senior officals.

The top security officer at Agriculture and Agri-Foods Canada (AAFC) goes on to say in a Dec. 4, 2012 presentation that “some initial tactical steps” were taken during the 2011-2012 fiscal year, with more to come this year to increase “awareness and rigor” on information management practices.

“The increased awareness of the threat environment and current security posture has made the need for cultural changes apparent,” one slide point reads.

“There is a risk that the security of AAFC information is not being addressed through all phases of its lifecycle, which could lead to the possible compromise, disclosure and/or exploitation of departmental, collaborator and/or client-sensitive information thus resulting in significant loss of confidence in government and/or legal proceedings against AAFC.”

Copies of the documents were released to Postmedia News under access to information laws.

The presentation noted that by either the end of 2013 or middle of 2014, the department plans to be fully compliant with the government’s security of information policy. Between 2002 and 2012, the department has had 50 data breaches, reporting five of those to the privacy commissioner.

The breaches affected 92,422 people — the third highest reported total among federal departments during that time period.

“The department is implementing interim solutions in this area and is assessing its progress in an ongoing manner,” said spokesman Patrick Girard. Girard didn’t say what the department has done to prevent more breaches from occurring.

He said the shift in culture referred to “the shifting security environment and our need to inform and keep our employees abreast of risks and their impact on their use of technology.”

Over the last 10 years, 3,134 information and data breaches have affected at least 1,075,313 individuals, according to documents tabled in Parliament last month. The list given to federal politicians, however, is incomplete as some departments, such as the Canada Revenue Agency, didn’t provide any figures.

“That’s a ridiculously high number,” said Tony Busseri, CEO of Toronto-based Route1 Inc., an information security company that has contracts with the U.S. Department of Homeland Security and the Canadian government.

“The technology is there and with good leadership and regulations, we would crush the number (of breaches) down.”

Busseri said technology that doesn’t require workers to carry portable data devices, which can be easily lost, can be used to prevent human error leading to a breach. Some departments have already began using more stringent information management practices, including Human Resources and Skills Development Canada, which has banned the use of unapproved USB keys and plans to use software to stop, if necessary, workers from removing data from the department’s secured network.

During the 2012-13 fiscal year, departments reported more than 100 breaches to privacy commissioner Jennifer Stoddart’s office — an all-time high and a 25 per cent increase over the previous fiscal year.

The Opposition NDP have pressed the government for days about the breaches. On Thursday, NDP MPs zeroed in on Agriculture and Agri-Foods Canada, Public Works and Government Services Canada and Human Resources and Skills Development Canada, questioning the Conservatives about the government’s ability to protect sensitive information in its possession.

“Perhaps there may be other things that can be done to better protect people’s personal privacy,” Treasury Board President Tony Clement told the Commons Thursday. “We have done so for veterans, we have done so for mandatory reporting of breaches and we have new guidelines, but we always hope for better ways to deal with these issues.”